<?php
/*
 * consentAdmin - Consent administration module
 *
 * This module enables the user to add and remove consents given for a given
 * Service Provider.
 *
 * The module relies on methods and functions from the Consent module and can
 * not be user without it.
 *
 * Author: Mads Freen <freek@ruc.dk>, Jacob Christiansen <jach@wayf.dk>
 */

/*
 * Runs the processingchain and ignores all filter which have user 
 * interaction.
 */
function driveProcessingChain($idp_metadata, $source, $sp_metadata, $sp_entityid, $attributes, $userid, $hashAttributes = FALSE) {

	/* 
	 * Create a new processing chain 
	 */
	$pc = new SimpleSAML_Auth_ProcessingChain($idp_metadata, $sp_metadata, 'idp');

	/* 
	 * Construct the state.
	 * REMEMBER: Do not set Return URL if you are calling processStatePassive
	 */
	$authProcState = array(
		'Attributes' => $attributes,
		'Destination' => $sp_metadata,
		'Source' => $idp_metadata,
		'isPassive' => TRUE,
	);

	/* 
	 * Call processStatePAssive.
	 * We are not interested in any user interaction, only modifications to the attributes
	 */
	$pc->processStatePassive($authProcState);

	$attributes = $authProcState['Attributes'];

	/*
	 * Generate identifiers and hashes
	 */
	$destination = $sp_metadata['metadata-set'] . '|' . $sp_entityid;

	$targeted_id    = sspmod_consent_Auth_Process_Consent::getTargetedID($userid, $source, $destination);
	$attribute_hash = sspmod_consent_Auth_Process_Consent::getAttributeHash($attributes, $hashAttributes);

	SimpleSAML_Logger::info('consentAdmin: user: ' . $userid);
	SimpleSAML_Logger::info('consentAdmin: target: ' . $targeted_id);
	SimpleSAML_Logger::info('consentAdmin: attribute: ' . $attribute_hash);

	/* Return values */
	return array($targeted_id, $attribute_hash, $attributes);
}

// Get config object
$config = SimpleSAML_Configuration::getInstance();
$cA_config = SimpleSAML_Configuration::getConfig('module_consentAdmin.php');
$authority = $cA_config->getValue('authority');

$as = new SimpleSAML_Auth_Simple($authority);

// If request is a logout request
if(array_key_exists('logout', $_REQUEST)) {
    $returnURL = $cA_config->getValue('returnURL');
	$as->logout($returnURL);
}

$hashAttributes = $cA_config->getValue('attributes.hash');

/* Check if valid local session exists */
$as->requireAuth();

// Get released attributes
$attributes = $as->getAttributes();

// Get metadata storage handler
$metadata = SimpleSAML_Metadata_MetaDataStorageHandler::getMetadataHandler();

/*
 * Get IdP id and metadata
 */


$local_idp_entityid = $metadata->getMetaDataCurrentEntityID('saml20-idp-hosted');
$local_idp_metadata = $metadata->getMetaData($local_idp_entityid, 'saml20-idp-hosted');

if($as->getAuthData('saml:sp:IdP') !== NULL) {
	/*
	 * From a remote idp (as bridge)
 	 */
	$idp_entityid = $as->getAuthData('saml:sp:IdP');
	$idp_metadata = $metadata->getMetaData($idp_entityid, 'saml20-idp-remote');
} else {
	/*
	 * from the local idp
	 */
	$idp_entityid = $local_idp_entityid;
	$idp_metadata = $local_idp_metadata;
}

// Get user ID
$userid_attributename = (isset($local_idp_metadata['userid.attribute']) && is_string($local_idp_metadata['userid.attribute'])) ? $local_idp_metadata['userid.attribute'] : 'eduPersonPrincipalName';

$userids = $attributes[$userid_attributename];
		
if (empty($userids)) {
	throw new Exception('Could not generate useridentifier for storing consent. Attribute [' .
		$userid_attributename . '] was not available.');
}

$userid = $userids[0];

// Get all SP metadata
$all_sp_metadata = $metadata->getList('saml20-sp-remote');

// Parse action, if any
$action = null;
$sp_entityid = null;
if (!empty($_GET['cv'])) {
	$sp_entityid=$_GET['cv'];
}
if (!empty($_GET['action'])) {
	$action=$_GET["action"];
}

SimpleSAML_Logger::critical('consentAdmin: sp: ' .$sp_entityid.' action: '.$action);

// Remove services, whitch have consent disabled
if(isset($idp_metadata['consent.disable'])) {
    foreach($idp_metadata['consent.disable'] AS $disable) {
        if(array_key_exists($disable, $all_sp_metadata)) {
            unset($all_sp_metadata[$disable]);
        }
    }
}

SimpleSAML_Logger::info('consentAdmin: '.$idp_entityid);

// Calc correct source
$source = $idp_metadata['metadata-set'] . '|' . $idp_entityid;

// Parse consent config
$consent_storage = sspmod_consent_Store::parseStoreConfig($cA_config->getValue('consentadmin'));

// Calc correct user ID hash
$hashed_user_id = sspmod_consent_Auth_Process_Consent::getHashedUserID($userid, $source);

// If a checkbox have been clicked
if ($action != null && $sp_entityid != null) {
	// Get SP metadata
	$sp_metadata = $metadata->getMetaData($sp_entityid, 'saml20-sp-remote');

	// Run AuthProc filters
	list($targeted_id, $attribute_hash, $attributes_new) = driveProcessingChain($idp_metadata, $source, $sp_metadata, $sp_entityid, $attributes, $userid, $hashAttributes);

	// Add a consent (or update if attributes have changed and old consent for SP and IdP exists)
	if($action == 'true') {
		$isStored = $consent_storage->saveConsent($hashed_user_id, $targeted_id, $attribute_hash);
		if($isStored) {
			$res = "added";
		} else {
			$res = "updated";
		}
	// Remove consent
	} else if($action == 'false') {
		// Got consent, so this is a request to remove it
		$rowcount = $consent_storage->deleteConsent($hashed_user_id, $targeted_id, $attribute_hash);
		if($rowcount > 0) {
			$res = "removed";
		}
	// Unknown action (should not happen)
	} else {
		SimpleSAML_Logger::info('consentAdmin: unknown action');
		$res = "unknown";
	}
	/*
	 * Init template to enable translation of status messages 
 	 */
	$et = new SimpleSAML_XHTML_Template($config, 'consentAdmin:consentadminajax.php', 'consentAdmin:consentadmin');
	$et->data['res'] = $res;
	$et->show();
	exit;
}

// Get all consents for user
$user_consent_list = $consent_storage->getConsents($hashed_user_id);

// Parse list of consents
$user_consent = array();
foreach ($user_consent_list as $c) {
	$user_consent[$c[0]]=$c[1];
}

$template_sp_content = array();

// Init template
$et = new SimpleSAML_XHTML_Template($config, 'consentAdmin:consentadmin.php', 'consentAdmin:consentadmin');
$sp_empty_name = $et->getTag('sp_empty_name');
$sp_empty_description = $et->getTag('sp_empty_description');

// Process consents for all SP
foreach ($all_sp_metadata as $sp_entityid => $sp_values) {
	// Get metadata for SP
	$sp_metadata = $metadata->getMetaData($sp_entityid, 'saml20-sp-remote');

	// Run attribute filters
	list($targeted_id, $attribute_hash, $attributes_new) = driveProcessingChain($idp_metadata, $source, $sp_metadata, $sp_entityid, $attributes, $userid, $hashAttributes);

	// Check if consent exists
	if (array_key_exists($targeted_id, $user_consent)) {
		$sp_status = "changed";
		SimpleSAML_Logger::info('consentAdmin: changed');
		// Check if consent is valid. (Possible that attributes has changed)
		if ($user_consent[$targeted_id] == $attribute_hash) {
			SimpleSAML_Logger::info('consentAdmin: ok');
			$sp_status = "ok";
		}
	// Consent does not exists
	} else {
		SimpleSAML_Logger::info('consentAdmin: none');
		$sp_status = "none";
	}

	// Set name of SP
	if(isset($sp_values['name']) && is_array($sp_values['name'])) {
		$sp_name = $sp_metadata['name'];
    } else if(isset($sp_values['name']) && is_string($sp_values['name'])) {
		$sp_name = $sp_metadata['name'];
	} elseif(isset($sp_values['OrganizationDisplayName']) && is_array($sp_values['OrganizationDisplayName'])) {
		$sp_name = $sp_metadata['OrganizationDisplayName'];
	} else {
		$sp_name = $sp_empty_name;
	}

	// Set description of SP
	if(empty($sp_metadata['description']) || !is_array($sp_metadata['description'])) {
		$sp_description = $sp_empty_description;
	} else {
		$sp_description = $sp_metadata['description'];
	}

    // Add an URL to the service if present in metadata
    $sp_service_url = isset($sp_metadata['ServiceURL']) ? $sp_metadata['ServiceURL'] : null;

	// Fill out array for the template
	$sp_list[$sp_entityid] = array(
		'spentityid' => $sp_entityid,
		'name' =>  $sp_name,
		'description' =>  $sp_description,
		'consentStatus' => $sp_status,
		'consentValue' => $sp_entityid,
		'attributes_by_sp' => $attributes_new,
        'serviceurl' => $sp_service_url,
	);
}

$et->data['header'] = 'Consent Administration';
$et->data['spList'] = $sp_list;
$et->data['showDescription'] = $cA_config->getValue('showDescription');
$et->show();
?>
